NSA

How to Keep Your Government from Spying on You

Or at least make it more difficult.

|

“Does the [National Security Agency] collect any type of data at all on millions or hundreds of millions of Americans?” Sen. Ron Wyden (D-Ore.) asked James Clapper, the director of national intelligence, during a Senate Intelligence Committee hearing in March. Clapper replied, “No sir…not wittingly.”

We now know that was a bald-faced lie. Or as Clapper nicely parsed it later, it was the “least untruthful” statement. The NSA has been collecting telephone and telecommunications data from tens of millions of Americans for years now.

The idea is that this data is collected but no federal spook actually looks at it unless additional informationâ€"say, a letter from Russia warning about a couple of Chechens living Bostonâ€"prompts them to winnow the data seeking connections that might indicate a person is up to no good. But it hasn't worked out that way. Christopher Soghoian, a policy analyst at the American Civil Liberties Union, likens the situation to having someone tell you that he wants to put a video camera in your bedroom but will not actually look at the stored video unless something bad happens later.

The NSA was able to obtain all that personal information about American citizens because the dominant Internet business model is to exchange free services for personal information that enables targeted advertising. When I interviewed Soghoian, he suggested that the free market has delivered us into a world that is insecure by default. But when I pointed out that Verizon and the other telephone companies are highly regulated semi-monopolies, Soghoian agreed, noting that the phone companies are subject to more regulation that Internet companies like Google or Facebook. That gives the government more opportunities for punishing them should they be recalcitrant when it comes to government demands. Soghoian added that the telephone industry has been practicing surveillance for 100 years already.

Seeking information on the nuts and bolts of technical steps that citizens might take to shield themselves from electronic snooping by the government, I talked with Mark Wuergler, a senior security researcher at the cybersecurity firm Immunity, Inc. “I have bad news for the average citizen,” Wuergler told me: In order to avoid monitoring by the government, citizens need to have control over their own hardware, networks, and servers and use encryption ubiquitously. He’s pretty certain that currently available methods for trying to maintain data privacy and security are so clunky and complicated that most Americans will simply not bother trying to use them. “It boils down to less convenient more secure; more convenient less secure,” Wuergler said. “You just need to assume that your data is being watched.”

Assuming that your data is being watched, what might you do to hide it?

First, consider not putting so much stuff out there in the first place. Wuergler devised a program he calls Stalker that can siphon off nearly all of your digital information to put together an amazingly complete portrait of your life and pretty much find out where you are at all times. Use Facebook if you must, but realize you’re making it easy for the government to track and find you when they choose to do so.

A second step toward increased privacy is to use a browser search engine like DuckDuckGo, which does not collect the sort of informationâ€"say, your IP addressâ€"that can identify you with your Internet searches. Thus, if the government bangs on their doors to find out what you’ve been up to, DuckDuckGo has nothing to hand over. I have decided to make DuckDuckGo my default for general browsing searching, turning to Google only for items such as breaking news and scholarly articles. (Presumably, the NSA would be able to tap into my searches on DuckDuckGo in real time.)

Third, TOR offers free software and a network of relays that can shield your location from prying eyes. TOR operates by bouncing your emails and files around the Internet through encrypted relays. Anyone intercepting your message once it exits a TOR relay cannot trace it back to your computer and your physical location. TOR is used by dissidents and journalists around the world. On the downside, in my experience it operates more slowly than, say, Google.

Fourth, there is encryption. An intriguing one-stop encryption solution is Silent Circle. Developed by Phil Zimmermann, the inventor of the Pretty Good Privacy encryption system, Silent Circle enables users to encrypt their text messages, video, and phone calls, as well as their emails. Zimmermann and his colleagues claim that they, or anyone else, cannot decrypt our messages across their network, period. As Wuergler warned, this security doesn’t come free. Silent Circle charges $10 per month for its encryption services.

You might consider encrypting the data stored on your computer using the free encryption software offered by TrueCrypt. If you keep data in the cloud, you might use SpiderOak, which bills itself as a “zero-knowledge” company. That means it does not have any way to decrypt the data you store with it. However, SpiderOak will provide personally identifiable information about users to law enforcement if required to do so by law. The company offers two gigabytes of free storage for beginners.

With regard to encrypting data, you should keep in mind a recent case, United States v. Fricosu. Ramona Fricosu was accused of mortgage fraud. Asserting Fifth Amendment protections against self-incrimination, Fricosu refused to provide prosecutors with the password to her encrypted computer. A federal judge ordered her to provide the password or supply a decrypted hard drive to the police. She claimed to have forgotten the password, but her husband offered the police some plausible possibilities, one of which worked.

Now for some bad news. Telephone metadata of the sort the NSA acquired from Verizon is hardâ€"read: impossibleâ€"to hide. As the ACLU’s Soghoian notes, you can’t violate the laws of physics: In order to connect your mobile phone, the phone company necessarily needs to know where you are located. Of course, you can avoid being tracked through your cell phone by removing its batteries (unless you have an iPhone), but once you slot it back in, there you are.

For lots more information on how to you might be able to baffle government monitoring agencies, check out the Electronic Frontier Foundation's Surveillance Self-Defense Web pages.

Wuergler is sanguine about NSA snooping. “To me personally, I think it’s an acceptable risk,” he told me. “I believe that it’s not being used on a mass basis against American citizens. At least I hope not.” I hope not, too. But in the meantime, I want to rely on something more than hope when it comes to reining in government power.

Advertisement

NEXT: Microsoft Office Comes to iPhone

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. You can shout Big Brother or program run amok, but if you actually look at the details, I think we’ve struck the right balance

    And I think you should go fuck yourself.

    1. Start working at home with Google! This is certainly the nicest-work I have ever done . Last Monday I got a new Alfa Romeo from bringing in $7778. I started this 9 months ago and practically straight away started making more than $83 per hour. I work through this link, Bling6.com

  2. She claimed to have forgotten the password, but her husband offered the police some plausible possibilities, one of which worked.

    Wait, what? Why was he talking to them?

    1. They can’t even compel him to testify; what the fuck was he doing?!?

      1. He might have had an angle, for example a pending divorce case…

        1. “Sir, we can’t make you testify, but we will tell you that you can score unbelievably young, hot, and stupid tail by talking about how hard it is to remain faithful to your wife who is in prison for the next 15-25 years.”

      2. And why was her password plausible? Always go for random.

    2. Wait, what? Why was he talking to them?

      The presumption here is that they’re happily married. Chances: low.

      1. How badly do you have to hate someone to betray them to the Feds? Its him and Dillinger’s girlfriend on a pretty short list.

        1. I’ll get back to you.

        2. “Mr Johnson, as Mrs Johnson’s husband, we believe that you were a conspirator in her crimes and will prosecute you accordingly. Unless, er, you can provide us some background information for her.”

        3. naw, the feds lied to him and convinced the poor dumbass that by cooperating, he was helping her

      2. Yeah, but privilege? Or does it not work like that?

        1. It really depends on the jurisdiction. The wiki for Marital Privilege, goes into the details. As to whether a spouse may testify against the other spouse, in Federal Court, that privilege rests with the testifying spouse. Not the one who divulged information to the testifying spouse.

          However, according to the wiki, spousal communications are also privileged, and in their case, both spouses have the privilege to prevent their disclosure. There are a bunch of exceptions to that privilege.

          What either spousal privilege usually prevents is the Feds subpoenaing the spouse and compelling them to testify.

        2. if the spouse doesn’t want to talk, he claims privilege. If he wants to talk, he can, but the attorney can object. But since most judges are statist assholes, guess who wins? Not all judges though, the one at my trial really helped me; I was pro se

          1. Chase. even though Dale`s artlclee is neat, last tuesday I got a great Lotus Carlton after earning $9739 this – 4 weeks past an would you believe 10/k this past munth. this is really the easiest-job I’ve ever done. I began this eight months/ago and pretty much straight away began to make over $80 per-hour. I work through this link Click Here

    3. It was her ex-husband.

  3. someone should invent something like the Opti-Grab that hangs a picture that looks like an OFA office in front of your computer monitor camera.

  4. Thx for the helpful links Ron.

  5. OT:

    Detroit to employee union pensioners – “Fuck you.”

    http://www.freep.com/comments/…..llion-city

    1. Well, what do you think happens when the city runs out of money?

      For the last half a century Detroit politicians have agreed to higher pensions than they could actually fund with other peoples money. I’m sure that got those politicians a lot of votes from the very same union pensioners who are effected. I don’t have much sympathy for the pensioners who voted themselves other peoples money.

  6. I remember a simpler, happier time when disabling cookies was the cutting edge of cyber security.

  7. I would want a “dead man” switch in my encrypted data. If the user doesn’t enter in a (different than the main) password every N days, the data will automatically be deleted. Sure, it would be PITA to maintain, but make it part of your daily routine.

    1. I’d prefer a system that has two passwords, one that allows access, the other that wipes the data. “Sure officer, I’ll give you a password…”

      1. dunno – would prefer to stall them for a day or two, shed some crocodile tears, give out the password, and then have them try to access the “incriminating” data. What do you know? There’s nothing there.

        1. Then you’re indicted for lying to federal prosecutors. You need the dummy password to generate random data that looks real, or pre-store some innocuous stuff and have the rest auto delete.

      2. Assume that if someone is looking at your data, they’ve already cloned the drive. Then they have proof you destroyed the evidence.

        1. Assume that if someone is looking at your data, they’ve already cloned the drive. Then they have proof you destroyed the evidence.

          How so? They can’t read the encrypted clone, so they have no idea what’s on it. Once encrypted “nothing” looks just like everything else.

          1. If the “clone” is 200 GB and the original that’s been wiped clean is something much less I’d think that would be a pretty good indication that something’s missing.

            They may not be able to decrypt and read the cloned data, but they still know you destroyed evidence.

            1. Yea, they know if the data is different.

              Funny enough, to wipe the encrypted data, you probably wouldn’t even need to delete it or zero it out. Just drop some random bits all over it. That would depend on what the cipher is, though. With a cyclical block cipher, you probably could still recover some chunks.

              1. Thats how the feds wipe sensitive stuff off their own hard drives. Just deleting files doesn’t actually delete them, it just tells the OS it can write new stuff on those sectors, so it can be recovered. The only way to really wipe it is to write over it with random 1’s and 0’s. I think DOJ guidlines requires 7 passes of overwriting.

          2. You can certainly make a clone of the raw data on the drive, and it’s the first thing they would do before examining it.

            Stick the drive in another computer, direct clone (say, with dd).

            Do the decrypt operation requested. If it doesn’t work, and the data on the drive at that point doesn’t match what was there before? Suspect used the deletion key.

            1. Actually, no you wouldn’t/don’t stick the drive in another computer.

              There are dedicated hardware devices that clone an existing hard drive and don’t rely on any kind of general OS. The first thing you do is clone a couple of backups. And you crack the backups, leaving the original in it’s current condition.

        2. jury ignorance works both ways:
          “They Cloned my client’s drive? Really? As you all know ‘cloning’ is illegal and impossible.”

      3. No the better item is a rotating password that you don’t know. And you can only get it if a system confirms that you are not providing it under compulsion from the law.

        SIMPLE.

    2. It is fairly easy to do on a local drive by extending truecrypt to simply wipe or rotate bytes in the “data” file with a bad password. However, it wouldn’t work once you drive is imaged by law enforcement. They access everything through read-only device and can copy things over from it. It couldn’t work. If it were remotely stored on a web-server that they didn’t have the physical location of – that could work 🙂

  8. OT: Obama Campaign Reignites Gun Fight
    http://www.weeklystandard.com/…..35285.html

    1. They need to milk those dead kids for all they’re worth, after all.

      1. There were only five deaths at that community college in California, including the gunman. What a damn shame. There was so much potential for a high body count. Imagine if he was able to wipe out about a hundred unarmed civilians on that campus. IRS and domestic spying stories would have been taken off the burner for the entire summer. Common sense gun control would have sailed through. Obama’s polls would be in the high seventies with his critics once again socially outcasted and marginalized. You know what those decaying corpses of school children smell like to us? Victory.

      2. They need to milk those dead kids for all they’re worth, after all.

        I read that as “…milk those dead kittens…”. Thought you were conflating that story about the animal control officer shooting a bunch of kittens and that scene from Dune.

    2. They’re just gonna keep fucking that chicken huh?

  9. “How to Keep Your Government from Spying on You”

    Simple. Get ’em to recognize A-4.

  10. DuckDuckGo is a search engine, not a browser.

    1. N: Grrr. Good point. Thanks.

  11. This article in general is helpful, but this kind of comment is annoying: “Use Facebook if you must, but realize you’re making it easy for the government to track and find you when they choose to do so.”

    The federal government sure as hell does not need Facebook to find out where I am. In fact, I wouldn’t be using Facebook if I were terribly concerned about people knowing roughly where I am. Seriously, is there anyone out there who reads that and says, “ZOMG! I had no idea that posting ‘Having a great time in LA!’ let the government know where I was!”

    Also, Duck Duck Go is a search engine, not a browser. As a techie, I find their claim “we do not store IP addresses or unique User agent strings” unlikely as a general rule – if that were really true, they’d have no way of identifying and blocking abusive users or spiders, for example.

    1. Not to mention I have never heard of any production web server routing the access logs to dev/null/… The access logs of apache or websphere are going to contain the IP, the Timestamp, the User Agent, along with the exact request including the search term (if they use GET to pass the query). Maybe they rotate once a day and delete everything older than day, but it is pure BS they don’t store that information.

      1. I assume when they say they don’t store any data, they temporarily store it to cache and then flush the cache when the session ends.

        1. JW: That is my understanding. But y’all could clear it up by clicking on over to their site, where they claim among other things:

          When you search at DuckDuckGo, we don’t know who you are and there is no way to tie your searches together.

          When you access DuckDuckGo (or any Web site), your Web browser automatically sends information about your computer, e.g. your User agent and IP address.

          Because this information could be used to link you to your searches, we do not log (store) it at all. This is a very unusual practice, but we feel it is an important step to protect your privacy.

          It is unusual for a few reasons. First, most server software auto-stores this information, so you have to go out of your way not to store it. Second, most businesses want to keep as much information as possible because they don’t know when it will be useful. Third, many search engines actively use this information, for example to show you more targeted advertising.

          Another way that your searches are often tied together at other search engines are through browser cookies, which are pieces of information that sit on your computer and get sent to the search engine on each request. What search engines often do is store a unique identifier in your browser and then associate that identifier with your searches. At DuckDuckGo, no cookies are used by default.

  12. U.S. Agencies Said to Swap Data With Thousands of Firms

    Thousands of technology, finance and manufacturing companies are working closely with U.S. national security agencies, providing sensitive information and in return receiving benefits that include access to classified intelligence, four people familiar with the process said.

    Sweet!

    1. Hey, at least they’re not GIVING it away.

      1. I was wondering how Google maps got those images of area 51

  13. Re telephone metadata, you might try making as many calls as possible via WiFi calling. That way you’re not connecting to the Cell Phone network. I know this works even if you havn’t even activated a cell-phone plan. However, we used a Google-voice number and Google is likely providing your calling data to the NSA.

    However, there is a project to build an open-source Skype clone called “GNU Free Call” that might be immune from wiretapping (it’s peer-to-peer and open source).

    http://www.gnutelephony.org/in…..e_Call_GUI

    It’s an announced project, but not yet developed.

    1. “GNU Free Call”

      VERY interesting. I will be keeping track of this one. Thanks for the heads up!

  14. I KNEW IT!!!! Bailey is Anon-bot!!!

  15. Hide from the government? You mean like selling millions of dollars worth of drugs on Silk Road without being detected?

    Start with a Linux OS. I use Mint 14 (KDE). You can use a lighter version, or start from scratch and build a hardened OS. Install a sandbox like Whonix. A VPN, Tor, Thunderbird, Enigmail, Tormail, GnuPG (or GPG4Win). You can incorporate Tormail into T-bird, but you need to change the proxy settings in T-bird. Do not try to use a Gmail account in T-bird with Tormail. Gmail gets all huffy about accessing it from a Tor exit node. (I wonder why)

    Then check your shit here:

    https://torcheck.xenobite.eu/index.php

    For IM use Pidgin OTR. On your smartphone you can try Giggerbot with Orbot, but I heard that is buggy, but very secure.

    I am not sure about RedPhone, I haven’t used it yet. I am waiting on a stable version of Ubuntu for smartphones. Should be coming soon.

    If you are concerned about being raided, you can use Tails on a computer without a hard drive.

    This is about 95% effective, depending mostly on human error.

    Of course, most of these measures cut down on speed, and can be buggy at times. It all depends how much you are willing to sacrifice for privacy and anonymity. Oh and, there is a difference between privacy and anonymity.

    1. Almost forgot. Everything I mentioned is legal to use in the US (for now). If you are not in the US, check your country’s laws.

      1. Why do that yourself? Just download the Tails Linux distro – it does EVERYTHING you listed and has built-in security protocols to make sure you don’t do anything stupid to boot. It’s free and made for USB boots. You can even keep persistent data through TrueCrypt or better.

        1. Because I do not always require the same level of security. I like a full functioning OS, which is why I use KDE desktop. If I need to shoot someone a quick message or email, I open up Pidgin, or just encrypt a note and shoot it through Gmail. If I’m looking to by a couple Kilos of blow, then I go all out.

  16. A second step toward increased privacy is to use a browser like DuckDuckGo, which does not collect the sort of information

    Is it a browser or a search engine? I thought it was a search engine.

    I have decided to make DuckDuckGo my default for general browsing, turning to Google only for items such as breaking news and scholarly articles

    Google is not a browser. Google is a search engine. Google Chrome is a browser.

    1. e: Yep. Fixed. Thanks.

    2. Comodo Dragon is a browser built on Chrome that will increase your security and anonymity a small amount, with a built in firewall, and the ability to have different accounts open at the same time

  17. Who said it was my government?

  18. Best solution is to simply use Tails linux distribution on a usb drive whenever you do something shady… It’s totally free and can warn you every time you try and do something stupid that can possibly identify you (like logging into an e-mail address you accessed from your personal IP address).

    1. I don’t log in to anything while on Tor unless it’s on the .onion. If you log in to your bank account using Tor, the exit node operator can gain access to your log in and password, although highly unlikely.

  19. The sad truth about all of this is that the type of people they are trying to track probably know all of this anyway. They assume they are being watched, therefore they take necessary precautions. What the feds scoop up is the dumb guys who represent little threat.

    Which is why it’s all the more likely that this will eventually be used for nefarious purposes.

    1. H: Your point is well-taken.

    2. Exactly. The real criminals and terrorists are using these methods.

      1. really? most of the terrorists I have read about, especially the home grown “lone wolfs” don’t seem to have all that much savvy. Hell, half of them can’t build a bomb that works, or like the guy today, blow themselves up before they can accomplish their objective.

  20. If you think Joan`s story is impossible…, four weeks ago my sister got a cheque for $7610 sitting there fifteen hours a week an their house and their co-worker’s mother`s neighbour was doing this for three months and actually earned more than $7610 part time from there labtop. the advice at this address, Go to site and open Home for details
    http://WWW.JOBS34.COM

    1. or just send me $20 and I will teach you how to spam craigslist offering to show people how to get a free car if they send you $20

      1. not really, I know how, but won’t do it and won’t teach others to

  21. my roomate’s sister makes $78/hr on the laptop. She has been fired from work for nine months but last month her paycheck was $21857 just working on the laptop for a few hours. Read more here….. http://www.Pro76.com

  22. my classmate’s half-sister makes $89 hourly on the laptop. She has been without work for eight months but last month her pay was $17560 just working on the laptop for a few hours. Go to this web site and read more http://www.zen45.com

  23. If you are trying to catch your cheating spouse in the act, I strongly recommend you contact this awesome hacker that helped me monitor my husband’s phone. I got virtually every information my hubby has been hiding over the months easily right in my own phone, the spy app diverted all his text messages, Whatsapp, multimedia sent through the phone, social networks on his phone, phone calls and deleted messages. He could not believe his eyes when he saw the evidence because he had no idea he was hacked.. Visit Dylan Cyber Company on his website w w w . procyberhelp . com , very affordable and reliable, thank me later
    Contact : P R O C Y B E R H E L P @ G M A I L . C O M or Whatsapp, +1 620 203 5003.

  24. If you are trying to catch your cheating spouse in the act, I strongly recommend you contact this awesome hacker that helped me monitor my husband’s phone. I got virtually every information my hubby has been hiding over the months easily right in my own phone, the spy app diverted all his text messages, Whatsapp, multimedia sent through the phone, social networks on his phone, phone calls and deleted messages. He could not believe his eyes when he saw the evidence because he had no idea he was hacked.. Visit Dylan Cyber Company on his website w w w . procyberhelp . com , very affordable and reliable, thank me later
    Contact : P R O C Y B E R H E L P @ G M A I L . C O M or Whatsapp, +1 620 203 5003.

Please to post comments

Comments are closed.